Penn State Hit With False Claims Act Lawsuit Over Lying About NIST 800-171 Compliance

For those companies who are required to comply with NIST SP 800-171 (government contractors mostly), here is something else to consider.

A lawsuit against Penn State was recently unsealed. While the story is a bit convoluted, their former CIO claims that they falsified claims that they were compliant. He was brought in several months after an attack attributed to Chinese hackers to make sure that the University’s Applied Research Lab was compliant.

After a few months he was appointed interim Vice Provost for Information Technology.

After he left that interim position he learned that the University was disregarding some of his recommendations.

One change they made was to cancel their contract with the FedRamp certified BOX.COM’s virtual file store. Their logic was that since they were already paying for the education version of Microsoft Office, which is not as secure as is required, they could store all their CUI in the commercial cloud and save money.

Penn State made self-attestations that they were in compliance with 800-171 when they were not.

The complaint alleges that “Penn State has no SSPs. Penn State’s SPRS entries are falsified. There are dozens of projects where Penn State has attested compliance but never met it. To this day Penn State does not appear to be working toward compliance.”

This lawsuit was filed Qui Tam, meaning that someone other than the government filed the case on the government’s behalf. The government has until September 29th to decide if they want to take over the case.

Here is the rub. Qui Tam cases are more likely to result in a win for the plaintiff and the plaintiff could get up to 60% of the damages assessed, which could be the sum of the dollar value of all of the contracts that the University allegedly lied about being compliant on. But that means that the former CIO would need to run the case with his lawyers.

Alternatively, the government could take over the case – we will find out in a week or two – in which case he still could get as much as 30%.

Some people are suggesting that the government will not take over the case because it is a slam dunk win. We shall see.

In another recent False Claims Act settlement, Booz, Allen, Hamilton agreed to pay a $377 million fine and the whistleblower, another former employee, got $70 million.

These are both examples of one type of insider threat – a very expensive type.

You really don’t want to lie to the government because (a) the government has a lot of lawyers and (b) the former insider has millions of reasons to try to get a win.

The Department of Justice has spun up a whole division to prosecute these False Claims Act cases, so expect a lot more. Still, with just the one recent Booz settlement, netting the government $300+ million after paying the whistleblower, that department will be, shall we say, cash flow positive for quite a while. Credit: The Register

IF YOU HAVE A REQUIREMENT TO COMPLY WITH NIST SP 800-171 AND NEED ASSISTANCE, PLEASE CONTACT US.